We are having to periodically reboot our FortiGates to restore its connection to WAN1 after it has failed-over to WAN2. The service to the ISP modem that is connected to WAN1 appears to drop momentarily and restores on its own or restores after the ISP modem is rebooted but the FortiGate will not reconnect to WAN1 unless the FortiGate is rebooted.
FortiIOS Firmware v6.4.5
WAN1 and WAN2 are configured for DHCP
The following is the SLA and WAN-Failover we currently use in our configuration:
config health-check
edit "Internet SLA"
set server "63.97.252.225" "97.105.87.100"
set interval 1000
set failtime 60
set recoverytime 180
set members 0
config sla
edit 1
set latency-threshold 500
set jitter-threshold 500
set packetloss-threshold 10
next
end
next
end
config service
edit 1
set name "WAN-Failover"
set mode sla
set dst "all"
set src "Local Store"
config sla
edit "Internet SLA"
set id 1
next
end
set priority-members 1 2
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Have you determined where the issue lies? Is it an issue of the FGT not having connectivity out WAN1 or is it an issue with SD-WAN not failing over or re-enabling WAN1?
i.e. after ISP on WAN1 comes back, can you ping from FGT out that interface?
Hello Graham,
I have not determined where the issue lies, but at reviewing the system event logs on a FGT that experienced this issue yesterday, it shows the link-monitor for interface WAN1 and the primary VPN going down and the link-monitor for backup interface WAN2 coming up, but once it is determined that the primary ISP modem is online and the FGT and ISP gateways can be pinged from WAN1, the only way to get it to fail back over to WAN1 is to reboot the FGT.
Regards,
NetAdmin1229
Do you have dedicated link-monitor config as well as SD-WAN SLA? Or are you referring to the SD-WAN health-check/SLA as your link monitor?
It would be the SD-WAN health-check/SLA for the link-monitor for WAN1 and WAN2.
Regards,
NetAdmin1229
OK your recoverytime is set to 180. That means you have to wait for 180 successful responses before the link is considered up again. Are you waiting that long?
You might want to set it to a lower value...
That was a setting that was previously agreed upon for a recovery time and I will suggest that it be lowered and test it in our lab.
Thank you for the input, suggestion and assistance with this issue.
Regards,
NetAdmin1229
If your FortiGate 61E or 61F needs to be rebooted to restore connection to WAN1, it could be due to several reasons. Here are some steps you can take to troubleshoot the issue:
Check the physical connection: Ensure that the WAN1 interface is securely connected to the appropriate network device and that there are no physical issues with the cable.
Check the WAN1 configuration: Verify that the WAN1 interface is configured correctly. Check the IP address, subnet mask, default gateway, and DNS settings.
Check the DHCP lease time: If you are using DHCP to obtain an IP address for the WAN1 interface, check the DHCP lease time. If the lease time has expired, the FortiGate may lose the WAN1 IP address and need to be rebooted to restore the connection.
Check the WAN1 status: Check the status of the WAN1 interface. If the interface is down, try to bring it up manually by running the command "execute wan1" from the CLI.
Check the FortiGate logs: Check the logs for any error messages related to the WAN1 interface. The logs can be found in the FortiGate web interface under Log & Report > Log Access > Forward Traffic.
Update the firmware: If the issue persists, check for firmware updates for the FortiGate. Firmware updates may address known issues that can cause connectivity problems.
Contact Fortinet support: If you have tried all of the above steps and are still experiencing issues, contact Fortinet support for further assistance. They can help you diagnose the issue and provide guidance on resolving the problem.
Regards,
Rachel Gomez
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1545 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.